CN109005175B - Network protection method, device, server and storage medium - Google Patents
Network protection method, device, server and storage medium Download PDFInfo
- Publication number
- CN109005175B CN109005175B CN201810889947.0A CN201810889947A CN109005175B CN 109005175 B CN109005175 B CN 109005175B CN 201810889947 A CN201810889947 A CN 201810889947A CN 109005175 B CN109005175 B CN 109005175B
- Authority
- CN
- China
- Prior art keywords
- message
- server
- watermark
- user identification
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a network protection method, a network protection device, a server and a storage medium, and belongs to the field of network security. The method comprises the following steps: when the server is attacked, acquiring a message sent to the server, wherein the message comprises a user identifier and a security watermark; detecting the legality of the message according to the security watermark in the message to obtain a detection result; when the detection result is that the message is legal, counting the times of occurrence in the period time of the user identification in the message; when the frequency of occurrence in the period time of the user identification in the message exceeds a threshold value, discarding the message; and when the times of the user identification in the message within the period time do not exceed the threshold value, the message is forwarded to the server. The scheme can intercept illegal messages sent in a common attack mode and can intercept messages sent in replay attack through the cooperation of the security watermark and the counting of the times of occurrence in the user identification period time, so that the normal work of the server is ensured.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a network protection method, apparatus, server, and storage medium.
Background
Distributed Denial of Service (DDoS) attacks refer to a hacker initiating a large amount of abnormal traffic to a destination server by controlling a dead network Distributed in various places, and the server is busy processing the abnormal traffic, cannot process a normal user request, even crashes the system, and causes Denial of Service.
Aiming at DDoS attack, a protection strategy based on watermark is provided in the related technology, and when a client sends an uplink message to a server, a watermark field calculated by a predetermined algorithm needs to be carried in the message. And the protection end is arranged between the client and the server, and judges whether the message is forwarded to the server or not by verifying the validity of the watermark field in the uplink message, so that the illegal message is intercepted.
However, when the attack end performs replay attack through the stolen legitimate packet, the protection strategy cannot effectively protect against the attack.
Disclosure of Invention
The embodiment of the invention provides a network protection method, a network protection device, a server and a storage medium, which can solve the problem that a protection strategy can not effectively protect an attack when an attack end carries out replay attack through a stolen legal message in the related art. The technical scheme is as follows:
in one aspect, a network protection method is provided, and the method includes:
when a server is attacked, acquiring a message sent to the server, wherein the message comprises a user identifier and a security watermark; detecting the legality of the message according to the security watermark in the message to obtain a detection result; when the detection result is that the message is legal, counting the times of occurrence in the period time of the user identification in the message; when the frequency of occurrence within the period time of the user identification in the message exceeds a threshold value, discarding the message; and when the frequency of the user identification in the message in the period time does not exceed a threshold value, forwarding the message to the server.
In another aspect, a network guard is provided, the network guard including:
the receiving module is used for acquiring a message sent to the server when the server is attacked, wherein the message comprises a user identifier and a security watermark; the detection module is used for detecting the legality of the message according to the security watermark in the message to obtain a detection result; the counting module is used for counting the times of occurrence of the user identification in the message within the period time when the detection result is that the message is legal; the filtering module is used for discarding the message when the frequency of occurrence in the period time of the user identification in the message exceeds a threshold value; and when the frequency of the user identification in the message in the period time does not exceed a threshold value, forwarding the message to the server.
In another aspect, a server is further provided, where the server includes a processor and a memory, where the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the network defense method according to the first aspect.
In another aspect, a computer-readable storage medium is provided, in which at least one instruction is stored, and the instruction is loaded and executed by a processor to implement the network defense method according to the first aspect.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
after a message sent by a client is received, firstly, a security watermark in the message is verified, so that whether the message is legal or not is determined, when the detection result is that the message is legal, the times of occurrence in the period time of a user identification in the message are counted, and whether forwarding or intercepting is performed is determined according to whether the times of occurrence in the period time of the user identification in the message exceed a threshold value or not. The scheme can intercept illegal messages sent in a common attack mode and can intercept messages sent in replay attack through the cooperation of the security watermark and the counting of the times of occurrence in the user identification period time, so that the normal work of the server is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic topology diagram of a network defense system according to an embodiment of the present invention;
fig. 2 is a flowchart of a network protection method according to an embodiment of the present invention;
fig. 3 is a flowchart of another network defense method provided by the embodiment of the present invention;
fig. 4 is a schematic structural diagram of a packet according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network defense apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
In order to facilitate understanding of the technical scheme provided by the embodiment of the present invention, the following describes problems existing in the existing DDoS attack protection scheme:
DDoS attacks can be divided into 2 major classes: blocking bandwidth type and dissipative type. The blocking bandwidth type is that a hacker sends malicious traffic such as a User Datagram Protocol (UDP) long message, a synchronization Sequence number (SYN) long message and the like through a broiler (client controlled by the hacker), and blocks a server bandwidth, so that a normal client cannot access the server. The consumption performance type performs malicious requests by sending a large number of SYN short messages, Acknowledgement (ACK) short messages, hypertext Transfer Protocol (HTTP) messages, and the like, so that the server is busy processing the malicious requests to cause server resource exhaustion, and cannot respond to normal requests, thereby achieving the purpose of rejecting server attacks.
Aiming at DDoS attack, various protection schemes are provided in the related technology, such as a source IP validity verification strategy, a speed limit protection strategy based on a source IP and a target IP, a protection strategy based on a watermark and the like.
However, these strategies all have some problems. Taking the source IP validity verification policy as an example, the source IP validity verification policy is usually implemented by rebounding a challenge packet, or by discarding the first packet and letting the client automatically retransmit the challenge packet. As long as the attack end is the DDoS attack through the real IP, the scheme can not be protected. Taking the speed-limiting protection strategy as an example, the speed-limiting strategy may cause the normal traffic to be killed by mistake and cannot completely limit the attack traffic. Taking the protection strategy based on the watermark as an example, when the attack end carries out replay attack through the stolen legal message, the protection strategy can not effectively protect the attack.
Therefore, the embodiment of the invention provides a network protection method. Before introducing the network protection method of the present application, a simple description is first performed on the architecture of the network protection system (i.e., the protection end).
Fig. 1 is a schematic topology diagram of a network defense system according to an embodiment of the present invention. Referring to fig. 1, the network defense system 10 is connected to a router 20, the router 20 typically being a core router in a network. The router 20 is connected with the operator network 30, and the router 20 is connected with the server 50 through the switch 40, so that the server 50 is connected with other devices of the network. Where a router 20 may connect to multiple switches 40, the switches 40 may be core switches, and each switch 40 may connect to one or more servers 50.
The network defense system 10 includes an attack detection subsystem 101, a defense subsystem 102 and a control subsystem 103, and the three subsystems may be implemented by separate devices (e.g., servers), or two or three of the subsystems may be integrated on one device.
When receiving the alarm information, the protection subsystem 102 filters the server message, and returns the filtered server message to the router 20, and then the router 20 transmits the server message to the server 50. In the protection process, the protection subsystem 102 may determine a malicious user, and store the malicious user information in the control subsystem 103.
The server is any one of the servers connected to the router 20.
Fig. 2 is a flowchart of a network defense method according to an embodiment of the present invention, referring to fig. 2, the method is performed by the foregoing network defense system, and the method includes:
step 101: when the server is attacked, a message sent to the server is obtained, wherein the message comprises a user identifier and a security watermark.
In the embodiment of the invention, the server is attacked means that the server receives a large amount of attack traffic, so whether the server is attacked can be determined according to the amount of traffic sent to the server in unit time.
In this embodiment of the present invention, the traffic sent to the server may include at least one of Transmission Control Protocol (TCP) traffic and UDP traffic, where the TCP traffic is data transmitted to the server by using a TCP Protocol, and the UDP traffic is data transmitted to the server by using a UDP Protocol. Therefore, the message sent to the server may be a UDP message, or may also be a SYN message, an ACK message, a TCP message, or the like, where the SYN message and the ACK message are messages transmitted when the client establishes a TCP connection with the server.
The user identifier in the message may be a user name, a user number, or a user hash value (playhash). For example, in the field of games, the user identifier may be a user name used when the user registers for a game, or a user number obtained when the user registers for a game, or a user hash value obtained by hashing the user name. Among them, the game service, which is one of the internet services with the highest income, is often subjected to DDoS attacks due to malicious players, malicious competition, and the like. After the game service is attacked by DDoS, serious consequences such as game disconnection, player loss, public praise influence, income influence and the like can be caused, so the scheme provided by the application is particularly suitable for the game service and can ensure the stable operation of the game service.
In the embodiment of the invention, the user hash value can be used for representing the user identification, the length of the user hash value is fixed, namely, the user names with different lengths or the user numbers with different lengths are identical, and the user hash values obtained after the hash operation are all identical in length, so that the user hash values are conveniently carried in the message.
The secure watermark (watermark) in the message is calculated as follows: and calculating the security watermark by adopting a watermark calculation method by adopting a destination address (the IP address of the server), a destination port and a user identifier as calculation factors. The watermark calculation method may be a CRC32 algorithm, and may also be other algorithms, which is not limited in this application.
Step 102: and detecting the legality of the message according to the security watermark in the message to obtain a detection result. And when the detection result is that the message is legal, executing step 103. And when the detection result is that the message is illegal, executing step 104.
The watermark calculation method is defined in advance, the client can adopt the watermark calculation method to calculate the security watermark, and the network protection system can adopt the watermark calculation method to verify the security watermark.
In step 102, the validity of the message is detected according to the security watermark in the message to obtain a detection result, that is, the network protection system generates a verification watermark and determines the validity of the message by comparing the verification watermark with the security watermark.
Step 103: and counting the times of occurrence of the user identification in the message within the period time. When the number of occurrences in the message within the period time of the subscriber identity exceeds the threshold, step 104 is performed. When the number of occurrences in the message within the period time of the subscriber identity does not exceed the threshold, step 105 is performed.
In step 102, if the message is judged to be legitimate according to the security watermark, there may be two situations, one is a normal message sent by the normal client, and the other is a message sent by the attack end through replay attack. Since the number of normal messages sent within the normal client cycle time is not too large, and a large number of messages are sent within the cycle time due to the blocking of the server by the replay attack, the messages sent by the replay attack are filtered by counting the number of times of occurrence within the user identification cycle time in step 103.
Step 104: and discarding the message.
By discarding the message, the attack message is prevented from being sent to the server, and the normal service operation is prevented from being influenced.
Step 105: and forwarding the message to the server.
The normal message verified by the steps needs to be forwarded to the server, so that the influence on normal service is avoided.
According to the method and the device, after the message sent by the client is received, the security watermark in the message is verified firstly, so that whether the message is legal or not is determined, when the detection result is that the message is legal, the times of occurrence in the period time of the user identification in the message are counted, and whether forwarding or intercepting is carried out or not is determined according to whether the times of occurrence in the period time of the user identification in the message exceed a threshold value or not. The scheme can intercept illegal messages sent in a common attack mode and can intercept messages sent in replay attack through the matching of the security watermark and the counting of the times of occurrence in the user identification period time, and the transmission of normal messages is not influenced, so that the normal work of the server is ensured.
Fig. 3 is a flowchart of another network defense method provided in an embodiment of the present invention, and referring to fig. 3, the method is executed by the foregoing network defense system and the client, and the method flow includes:
step 200: and the client sends a message to the server, wherein the message comprises the user identification and the security watermark.
The user identifier in the message may be a user name, a user number, or a user hash value. For example, in the field of games, the user identifier may be a user name used when the user registers for a game, or a user number obtained when the user registers for a game, or a user hash value obtained by hashing the user name.
In the embodiment of the invention, the user hash value can be used for representing the user identification, the length of the user hash value is fixed, namely, the user names with different lengths or the user numbers with different lengths are identical, and the user hash values obtained after the hash operation are all identical in length, so that the user hash values are conveniently carried in the message.
The secure watermark in the message is computed as follows: and calculating the security watermark by adopting a watermark calculation method by adopting a destination address (the IP address of the server), a destination port and a user identifier as calculation factors.
In the embodiment of the invention, the message comprises the load, and the first bytes of the load are the user identifier and the security watermark, so that the network protection system can conveniently extract the user identifier and the security watermark from the message for verification, and the performance is saved. Fig. 4 is a schematic structural diagram of a packet according to an embodiment of the present invention. Referring to fig. 4, the packet includes an IP header, a TCP/UDP header, a security watermark, a user hash value, and data, where the security watermark and the user hash value are 4 bytes, respectively, and are located in the first 8 bytes of the payload. The secure watermark, the user hash value and the data form the payload of the message.
Specifically, the step may include: the client calculates the security watermark; generating a message according to the security watermark; and sending the generated message to a server. The client side can calculate the security watermark by adopting the following method: the client calls a watermark plug-in to calculate the secure watermark, and the watermark plug-in carries a watermark calculation method for calculating the secure watermark, such as a CRC32 algorithm, but may also be other algorithms, which is not limited in this application. Here, the watermark calculation method is directly packaged to the client by adopting the plug-in, the client does not need to know the algorithm implementation, and the plug-in is directly called, so that the implementation is simple; the plug-in is more stable; and the updating is more convenient, and if the watermark calculation method is updated, the plug-in can be directly replaced.
It should be noted that although the destination of the message generated by the client is a server, which indicates that the message is sent to the server, the message may not reach the server eventually, and when the message passes through a router connected to the network protection system, the message may be intercepted, so that the message cannot reach the server. Therefore, the transmission process is indicated by a dotted line in fig. 3.
Step 201: the network protection system judges whether each server is attacked or not.
In the embodiment of the invention, the server is attacked means that the server receives a large amount of attack traffic, and in the application, whether the server is attacked or not can be determined according to the traffic sent to the server in unit time. This step 201 is implemented by an attack detection subsystem in the network defense system, and may include:
in the first step, a network protection system receives mirror flow sent by a router.
The mirror traffic includes various traffic sent to the server, such as UDP traffic, TCP traffic. According to the destination address of the message in the traffic, the amount of the traffic sent to the server in unit time is counted, for example, the traffic sent to the server in unit time is 50G.
In the embodiment of the present invention, the mirror traffic sent by the router includes traffic of a plurality of servers, so that during statistics, the traffic of each server is respectively counted. When the mirror traffic includes traffic of a plurality of servers, subsequent steps also need to be performed separately for the traffic of each server.
And secondly, determining whether the server is attacked or not according to the flow sent to the server in unit time and a safety threshold corresponding to the server.
For example, a security threshold corresponding to the server is obtained; comparing the flow sent to the server in unit time with the size of the corresponding safety threshold; and when the traffic sent to the server in the unit time is smaller than the corresponding safety threshold value, determining that the server is not attacked.
The security threshold corresponding to the server may be stored in the network protection System in advance, and the security threshold of each server is related to the function of the server, for example, the security thresholds of a Domain Name System (DNS) server and a video server are different in size. And adopting a default safety threshold for the server without the safety threshold.
Step 202: when the server is attacked, the network protection system acquires a message sent to the server, wherein the message comprises a user identifier and a security watermark.
Step 202 may be performed by a protection subsystem in the network protection system, and when the server is attacked, the subsequent steps are performed; when the server is not attacked, no subsequent steps need to be performed.
Optionally, the method further comprises: when the server is attacked, alarm information is generated. The alarm information is generated by the attack detection subsystem and then output to the protection subsystem.
When the protection subsystem receives the alarm information, flow traction is carried out between the protection subsystem and the router, and the flow of the server is pulled to the protection subsystem.
The traffic traction is performed between the protection subsystem and the router, and the traffic traction of the server to the network protection system can be realized in the following way: the protection subsystem is in a Border Gateway Protocol (BGP) neighbor relation with the router. And issuing the pull route of the server to the router, and sending the traffic of the server to the protection subsystem.
Specifically, two routers can be virtualized in the router: the system comprises a first virtual router and a second virtual router, wherein the first virtual router is responsible for receiving messages of the server, and the second virtual router is responsible for sending the messages of the server to the server. The protection subsystem issues a traction route of the server to the first virtual router, the next hop of the traction route is the protection subsystem, a subnet mask of the traction route is longer than a subnet mask of the route of the server learned by the first virtual router, and the first virtual router adopts the traction route as the route of the server according to the longest mask matching principle. And the first virtual router sends the received message of the server to the protection subsystem, and the protection subsystem carries out network protection. After the server is attacked, the protection subsystem can send information for announcing invalid traction route to the first virtual router, so that the message when the server is not attacked is not sent to the protection subsystem any more, but is directly sent to the server.
Step 203: and the network protection system detects the legality of the message according to the security watermark in the message to obtain a detection result. And when the detection result is that the message is legal, executing step 204. And when the detection result is that the message is illegal, executing step 205.
In step 203, the validity of the message is detected according to the security watermark in the message to obtain a detection result, which means that the network protection system generates a verification watermark and determines the validity of the message by comparing the verification watermark with the security watermark.
Step 203 may be performed by a protection subsystem in the network protection system, and specifically step 203 may include: acquiring a user identifier and a security watermark from a message; calculating and verifying the watermark by adopting a watermark calculation method and a user identifier; comparing whether the verification watermark is the same as the security watermark; if the verification watermark is the same as the security watermark, the message is legal; if the verification watermark is different from the security watermark, the message is illegal.
The watermark calculation method is defined in advance, the client can adopt the watermark calculation method to calculate the security watermark, and the protection subsystem can adopt the watermark calculation method to verify the security watermark.
Step 204: and the network protection system counts the times of occurrence of the user identification in the message within the period time. When the number of occurrences in the message within the period time of the subscriber identity exceeds the threshold, step 205 is performed. When the number of occurrences in the message within the period time of the subscriber identity does not exceed the threshold, step 206 is performed.
In step 203, if the message is judged to be legitimate according to the security watermark, there may be two situations, one is a normal message sent by the normal client, and the other is a message sent by the attack end through replay attack. Since the number of normal messages sent within the normal client cycle time is not too large, and a large number of messages are sent within the cycle time due to the blocking of the server by the replay attack, the messages sent by the replay attack need to be filtered by counting the number of times of occurrence within the user identification cycle time in step 204.
The cycle time may be set as needed, and for example, the cycle time may be 1 second. If it is checked that 300 packets carry a certain user identifier within 1 second, the threshold is 250, and the number of times of occurrence within the period time of the user identifier exceeds the threshold, indicating that a replay attack occurs, the step 205 is executed.
Step 205: the network protection system discards the message.
By discarding the message, the attack message is prevented from being sent to the server, and the normal service operation is prevented from being influenced.
Step 206: and the network protection system forwards the message to the server.
The protection subsystem returns the filtered message to the router, and the router sends the filtered message to the server.
Specifically, the protection subsystem sends the message of the server to the second virtual router after network protection, and the message is sent to the server by the second virtual router.
The effect of the above-described safeguard procedure is explained below by way of example:
scene 1: an attacker does not know the watermark calculation method, cannot correctly calculate the security watermark, and only randomly forge the garbage message to launch DDoS attack.
At this time, the network protection system intercepts the attack message by performing watermark check on each message, and the protection is successful.
Scene 2: an attacker captures normal service messages and initiates DDoS attack by replaying the messages.
At this time, the network protection system cannot intercept the attack message by performing watermark check on each message. However, the network protection system determines that the user identifier is a malicious user by counting the number of times of occurrence within the user identifier period time in the message and finding that the number of times of occurrence within the user identifier period time exceeds a threshold value, and at this time, the message with the user identifier is intercepted, and the protection is successful.
Optionally, the method may further include: and when the frequency of the user identification in the message within the period time exceeds a threshold value, storing the user identification into the malicious user information. The user identification is stored in the malicious user information, and then the malicious user information can be utilized to perform message interception or process the user account in the subsequent protection process, so that the attack of the user is avoided.
Optionally, the method may further include: and transmitting the malicious user information to a server, so that the server can perform online striking operations such as malicious account auditing, number sealing, reporting and the like according to the malicious user information. When the user identifier is a user hash value, a corresponding table of the user name or the user number and the user hash value is stored in the server, and the corresponding user name or the user number is found according to the user hash value, so that operations such as number sealing can be realized.
Further, the method may further include:
before the legality of the message is detected, whether the user identification in the message exists in malicious user information is determined; and when the user identification in the message exists in the malicious user information, discarding the message.
Further, the time for intercepting the malicious user information may be limited, for example, within a period of time (e.g., 30 minutes, 1 hour, etc.) when the user identifier is added to the malicious user information, all messages carrying the user identifier may be intercepted. When the time period is exceeded, all messages carrying the user identifier are not intercepted any more, but are intercepted in steps 203 and 204.
Therefore, the message sent by the user who has been attacked maliciously before can be intercepted conveniently, and the processing pressure of the protection subsystem is reduced. And after the time period is exceeded, all messages of the user identification in the malicious user information are not intercepted any more, and the influence on the normal service message transmission of the user after the replay attack performed by adopting the messages of the user is ended is avoided being intercepted continuously.
According to the method and the device, after the message sent by the client is received, the security watermark in the message is verified firstly, so that whether the message is legal or not is determined, when the detection result is that the message is legal, the times of occurrence in the period time of the user identification in the message are counted, and whether forwarding or intercepting is carried out or not is determined according to whether the times of occurrence in the period time of the user identification in the message exceed a threshold value or not. The scheme can intercept illegal messages sent in a common attack mode and can intercept messages sent in replay attack through the matching of the security watermark and the counting of the times of occurrence in the user identification period time, and the transmission of normal messages is not influenced, so that the normal work of the server is ensured.
Fig. 5 is a schematic structural diagram of a network defense apparatus according to an embodiment of the present invention, and referring to fig. 5, the apparatus 300 includes: a receiving module 301, a detecting module 302, a filtering module 303 and a counting module 304.
The receiving module 301 is configured to, when the server is attacked, obtain a message sent to the server, where the message includes a user identifier and a security watermark; the detection module 302 is configured to detect the validity of the message according to the security watermark in the message, so as to obtain a detection result; the counting module 304 is configured to count the number of times of occurrence within a period time of the user identifier in the message when the detection result is that the message is legal; the filtering module 303 is configured to discard the message when the number of times of occurrence in the user identifier period time in the message exceeds a threshold; and when the times of the user identification in the message within the period time do not exceed the threshold value, the message is forwarded to the server.
In this embodiment of the present invention, the filtering module 303 is further configured to discard the packet when the detection result is that the packet is illegal.
In the embodiment of the present invention, the detection module 302 is configured to obtain a user identifier and a security watermark from a packet; calculating and verifying the watermark by adopting a watermark calculation method and a user identifier; comparing whether the verification watermark is the same as the security watermark; if the verification watermark is the same as the security watermark, the message is legal; if the verification watermark is different from the security watermark, the message is illegal.
In the embodiment of the invention, the message comprises a load, and the first bytes of the load are user identification and security watermark.
In the embodiment of the invention, the user identifier is a user name hash value.
Further, the apparatus may further include a storage module 305. The storage module 305 is configured to store the user identifier in the malicious user information when the number of times that the user identifier in the message appears in the period time exceeds a threshold value.
Further, the filtering module 303 is further configured to determine whether the user identifier in the message exists in the malicious user information before detecting the validity of the message; and when the user identification in the message exists in the malicious user information, discarding the message.
It should be noted that: in the network protection device provided in the foregoing embodiment, when implementing the network protection method, only the division of the functional modules is described as an example, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the network protection device and the network protection method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
Fig. 6 is a schematic structural diagram of a server according to an embodiment of the present invention. The server may be a network defense system. Specifically, the method comprises the following steps:
The basic input/output system 406 includes a display 408 for displaying information and an input device 409 such as a mouse, keyboard, etc. for user input of information. Wherein a display 408 and an input device 409 are connected to the central processing unit 401 through an input output controller 410 connected to the system bus 405. The basic input/output system 406 may also include an input/output controller 410 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input/output controller 410 may also provide output to a display screen, a printer, or other type of output device.
The mass storage device 407 is connected to the central processing unit 401 through a mass storage controller (not shown) connected to the system bus 405. The mass storage device 407 and its associated computer-readable media provide non-volatile storage for the network defense system 400. That is, the mass storage device 407 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM drive.
Without loss of generality, computer readable media may comprise computer storage media and communication media. Computer storage 13 media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that computer storage media is not limited to the foregoing. The system memory 404 and mass storage device 407 described above may be collectively referred to as memory.
The memory further includes one or more programs, and the one or more programs are stored in the memory and configured to be executed by the CPU. The CPU 401 implements the network defense method shown in fig. 2 or 3 by executing the one or more programs.
Embodiments of the present invention further provide a non-transitory computer-readable storage medium, where instructions in the storage medium, when executed by a processor of a network defense system, enable the network defense system to perform the network defense method provided in the embodiments shown in fig. 2 or fig. 3.
A computer program product containing instructions which, when run on a computer, cause the computer to perform the network defense method provided by the embodiments of fig. 2 or fig. 3 described above.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (10)
1. A method of network defense, the method comprising:
when a server is attacked, acquiring a message sent to the server, wherein the message comprises a user identifier and a security watermark, and the server is attacked, namely the flow sent to the server in unit time is greater than or equal to a security threshold;
detecting the legality of the message according to the security watermark in the message to obtain a detection result;
when the detection result is that the message is legal, counting the times of occurrence in the period time of the user identification in the message;
when the frequency of occurrence within the period time of the user identification in the message exceeds a threshold value, discarding the message;
and when the frequency of the user identification in the message in the period time does not exceed a threshold value, forwarding the message to the server.
2. The method according to claim 1, wherein the detecting the validity of the message according to the security watermark in the message to obtain a detection result comprises:
acquiring the user identification and the security watermark from the message;
calculating a verification watermark by adopting a watermark calculation method and the user identifier;
if the verification watermark is the same as the safety watermark, the detection result is that the message is legal;
and if the verification watermark is different from the safety watermark, the detection result is that the message is illegal.
3. The method of claim 2, wherein computing the authentication watermark using the watermark computing method and the user identifier comprises:
and calculating the verification watermark by adopting the watermark calculation method by adopting the destination address, the destination port and the user identification in the message as calculation factors.
4. The method of claim 1, wherein the user identification is a username hash value.
5. The method according to any one of claims 1-4, further comprising:
and when the frequency of the user identification in the message within the period time exceeds a threshold value, storing the user identification in malicious user information.
6. The method of claim 5, further comprising:
before the legality of the message is detected, determining whether the user identification in the message exists in the malicious user information;
and when the user identification in the message exists in the malicious user information, discarding the message.
7. A network defense apparatus, the apparatus comprising:
the receiving module is used for acquiring a message sent to the server when the server is attacked, wherein the message comprises a user identifier and a security watermark, and the attacked server refers to that the flow sent to the server in unit time is greater than or equal to a security threshold;
the detection module is used for detecting the legality of the message according to the security watermark in the message to obtain a detection result;
the counting module is used for counting the times of occurrence of the user identification in the message within the period time when the detection result is that the message is legal;
the filtering module is used for discarding the message when the frequency of occurrence in the period time of the user identification in the message exceeds a threshold value; and when the frequency of the user identification in the message in the period time does not exceed a threshold value, forwarding the message to the server.
8. The apparatus of claim 7, further comprising a storage module configured to store the user identifier in malicious user information when a number of occurrences within a period time of the user identifier in the message exceeds a threshold.
9. A server, comprising a processor and a memory, wherein the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the network defense method of any of claims 1 to 6.
10. A computer-readable storage medium having stored therein at least one instruction which is loaded and executed by a processor to implement the network defense method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810889947.0A CN109005175B (en) | 2018-08-07 | 2018-08-07 | Network protection method, device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810889947.0A CN109005175B (en) | 2018-08-07 | 2018-08-07 | Network protection method, device, server and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109005175A CN109005175A (en) | 2018-12-14 |
| CN109005175B true CN109005175B (en) | 2020-12-25 |
Family
ID=64595394
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810889947.0A Active CN109005175B (en) | 2018-08-07 | 2018-08-07 | Network protection method, device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109005175B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109309690B (en) * | 2018-12-28 | 2019-04-02 | 中国人民解放军国防科技大学 | Software white list control method based on message authentication code |
| CN112448889B (en) * | 2019-08-28 | 2022-04-19 | 北京新能源汽车股份有限公司 | Gateway controller route configuration method, device, equipment and automobile |
| CN114079572A (en) * | 2020-08-11 | 2022-02-22 | 华为技术有限公司 | Network attack defense method, CP device and UP device |
| CN112003873B (en) * | 2020-08-31 | 2022-04-19 | 成都安恒信息技术有限公司 | HTTP (hyper text transport protocol) traffic defense method and system for resisting DDoS (distributed denial of service) attack |
| CN114553452B (en) * | 2020-11-25 | 2023-06-02 | 华为技术有限公司 | Attack defense method and protection equipment |
| CN114095426B (en) * | 2021-09-28 | 2023-04-04 | 浪潮软件科技有限公司 | Message processing method and device of VPP platform |
| CN113872976B (en) * | 2021-09-29 | 2023-06-02 | 绿盟科技集团股份有限公司 | HTTP2 attack-based protection method and device and electronic equipment |
| CN113973011A (en) * | 2021-10-15 | 2022-01-25 | 杭州安恒信息安全技术有限公司 | Network attack protection method, system and computer storage medium |
| CN116405960B (en) * | 2021-11-18 | 2024-03-29 | 荣耀终端有限公司 | Network quality detection method and related electronic equipment |
| CN115766055A (en) * | 2022-09-08 | 2023-03-07 | 中国联合网络通信集团有限公司 | Method and device for communication message verification |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3651777B2 (en) * | 2000-11-28 | 2005-05-25 | 株式会社東芝 | Digital watermark system, digital watermark analysis apparatus, digital watermark analysis method, and recording medium |
| CN101039326A (en) * | 2007-04-28 | 2007-09-19 | 华为技术有限公司 | Service flow recognition method, apparatus and method and system for defending distributed refuse attack |
| US8656170B2 (en) * | 2010-05-28 | 2014-02-18 | Cisco Technology, Inc. | Protection of control plane traffic against replayed and delayed packet attack |
| CN102355452B (en) * | 2011-08-09 | 2014-11-26 | 北京网御星云信息技术有限公司 | Method and device for filtering network attack traffic |
| CN104104652B (en) * | 2013-04-03 | 2017-08-18 | 阿里巴巴集团控股有限公司 | A kind of man-machine recognition methods, network service cut-in method and corresponding equipment |
| CN104333529B (en) * | 2013-07-22 | 2017-12-12 | 中国电信股份有限公司 | The detection method and system of HTTP dos attacks under a kind of cloud computing environment |
| CN104917739B (en) * | 2014-03-14 | 2018-11-09 | 腾讯科技(北京)有限公司 | The recognition methods of false account and device |
| US10211987B2 (en) * | 2015-04-27 | 2019-02-19 | Cisco Technology, Inc. | Transport mechanism for carrying in-band metadata for network path proof of transit |
| CN104967610B (en) * | 2015-04-30 | 2018-05-29 | 中国人民解放军国防科学技术大学 | A kind of timeslot-based watermark hopping communication means |
| CN105429940B (en) * | 2015-10-26 | 2019-03-12 | 华侨大学 | A method of the extraction of network data flow zero watermarking is carried out using comentropy and hash function |
| CN105592070B (en) * | 2015-11-16 | 2018-10-23 | 中国银联股份有限公司 | Application layer DDoS defence methods and system |
| CN105376245B (en) * | 2015-11-27 | 2018-10-30 | 杭州安恒信息技术有限公司 | A kind of detection method of rule-based APT attacks |
| CN107274331B (en) * | 2017-06-13 | 2018-03-13 | 重庆第二师范学院 | Robust watermarking embedding grammar and device for data flow |
| CN107707547A (en) * | 2017-09-29 | 2018-02-16 | 北京神州绿盟信息安全科技股份有限公司 | The detection method and equipment of a kind of ddos attack |
-
2018
- 2018-08-07 CN CN201810889947.0A patent/CN109005175B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109005175A (en) | 2018-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109005175B (en) | Network protection method, device, server and storage medium | |
| US8499146B2 (en) | Method and device for preventing network attacks | |
| US9438592B1 (en) | System and method for providing unified transport and security protocols | |
| US8370937B2 (en) | Handling of DDoS attacks from NAT or proxy devices | |
| US20110131646A1 (en) | Apparatus and method for preventing network attacks, and packet transmission and reception processing apparatus and method using the same | |
| CN110198293B (en) | Attack protection method and device for server, storage medium and electronic device | |
| US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
| CN104468624A (en) | SDN controller, routing/switching device and network defending method | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| US20120227088A1 (en) | Method for authenticating communication traffic, communication system and protective apparatus | |
| KR101219796B1 (en) | Apparatus and Method for protecting DDoS | |
| KR20120060655A (en) | Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof | |
| CN111212096B (en) | Method, device, storage medium and computer for reducing IDC defense cost | |
| WO2021244449A1 (en) | Data processing method and apparatus | |
| CN111970308A (en) | Method, device and equipment for protecting SYN Flood attack | |
| CN106487790B (en) | Cleaning method and system for ACK FLOOD attacks | |
| CN110213204B (en) | Attack protection method and device, equipment and readable storage medium | |
| WO2016177131A1 (en) | Method, apparatus, and system for preventing dos attacks | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN112187793A (en) | Protection method and device for ACK Flood attack | |
| Feng et al. | PMTUD is not Panacea: Revisiting IP Fragmentation Attacks against TCP. | |
| CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
| Cao et al. | 0-rtt attack and defense of quic protocol | |
| CN110198290B (en) | Information processing method, equipment, device and storage medium | |
| WO2019096104A1 (en) | Attack prevention |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |